Your message dated Sun, 22 Mar 2026 07:34:09 +0000
with message-id <[email protected]>
and subject line Bug#1131477: fixed in node-socket.io-parser 4.2.1+~3.1.0-4
has caused the Debian Bug report #1131477,
regarding node-socket.io-parser: CVE-2026-33151
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1131477: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131477
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-socket.io-parser
Version: 4.2.1+~3.1.0-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 4.2.1+~3.1.0-2
Hi,
The following vulnerability was published for node-socket.io-parser.
CVE-2026-33151[0]:
| Socket.IO is an open source, real-time, bidirectional, event-based,
| communication framework. Prior to versions 3.3.5, 3.4.4, and 4.2.6,
| a specially crafted Socket.IO packet can make the server wait for a
| large number of binary attachments and buffer them, which can be
| exploited to make the server run out of memory. This issue has been
| patched in versions 3.3.5, 3.4.4, and 4.2.6.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-33151
https://www.cve.org/CVERecord?id=CVE-2026-33151
[1]
https://github.com/socketio/socket.io/security/advisories/GHSA-677m-j7p3-52f9
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-socket.io-parser
Source-Version: 4.2.1+~3.1.0-4
Done: Yadd <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-socket.io-parser, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <[email protected]> (supplier of updated node-socket.io-parser package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 22 Mar 2026 08:13:27 +0100
Source: node-socket.io-parser
Architecture: source
Version: 4.2.1+~3.1.0-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Yadd <[email protected]>
Closes: 1131477
Changes:
node-socket.io-parser (4.2.1+~3.1.0-4) unstable; urgency=medium
.
* Team upload
* Declare compliance with policy 4.7.3
* Drop "Rules-Requires-Root: no"
* Drop "Priority: optional"
* debian/watch version 5
* Add build-dependency on node-is-path-inside
* Add patch for CVE-2026-33151: limit binary attachments per packet
(Closes: #1131477, CVE-2026-33151)
Checksums-Sha1:
48c8a61a3ed00412715d37ad1845377419373b18 2767
node-socket.io-parser_4.2.1+~3.1.0-4.dsc
97ce8244ee260572514617494ec1171d47d71af3 5028
node-socket.io-parser_4.2.1+~3.1.0-4.debian.tar.xz
Checksums-Sha256:
68344ff9f13f2c218c58a14f206c62e36207495c42ba9f5ea497fb966e16a34b 2767
node-socket.io-parser_4.2.1+~3.1.0-4.dsc
52fe923918d440c9c484ee58676504844dd12c8cfbb1a9aafe15e8f575d6cf5a 5028
node-socket.io-parser_4.2.1+~3.1.0-4.debian.tar.xz
Files:
1c51dda014fb395dd94d82508e7d0ba3 2767 javascript optional
node-socket.io-parser_4.2.1+~3.1.0-4.dsc
886254f2e785ef20e46640873f7cc8dd 5028 javascript optional
node-socket.io-parser_4.2.1+~3.1.0-4.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmm/l1IACgkQ9tdMp8mZ
7ukIRw//aAZvYJiKLrc5FS0RaLZQ0NlNDmBs5xmZKvL9h37UUFu64O0clU35adlg
Anj8imAneo6ok/JfxSSFMBuHCpT3b5Hu79iyiYPEs3fNDxi5+S8GPsez/JAB5OMs
gmZElcpsdDksFcFSB9wxw9ZNgsogX6mLjlvjMsodaYAbhfB5XoMznttFED/lnONA
hlTM9HpikJnbjEAq2sS25N4Y3OEfyiAfQx9JyjibzBshLQyGpGbBDfw3BQvgTE+o
j0xB6+cedce9yzp/pzglNsi2i0aGygUg5wtKQtqc3JyGcaHS+rYKmHnpnJ5+r4WC
Fj8N87f2FX35XjhZq8cyckwuwYbq2XhLOg6YR1fp3pLrMi2Nv1rb6FOda/PVN+P2
hF2LmJZrwM4UKghhhmLlbGPSf5VfoteDw44COAlXiojnjSXLpnn4ArOkCMZszijz
5c67rQHwvLmispRcyhhBoRs6Z9W1gYDDAnMY13REpcogFljRKIeN4BcNuHxiVJJN
ye8yYO5Bqc7kxeP5hJtHMif8w3yJ8o6jvaxW2WVL3l9uYkKB6ySyNJp/gTXYX+MW
xFFwPPpVOD5ViFrlbjIOUdj5VMG6P754MLD3VoGaPsOYvsNnYT7kCbNLWDccpD9O
+y08+SzxLrwM8diz1+RsjjSac4W2EvTR6D4bLrMEgkOR6y3UKdI=
=0XFD
-----END PGP SIGNATURE-----
pgpazqd8x2sAz.pgp
Description: PGP signature
--- End Message ---
